Specifications
The IP rule again has the NAT action and this is necessary if the protected local hosts have private
IPv4 addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the
IP address of the interface connected to the ISP as the source interface. Responding hosts will
send back ICMP responses to this single IP and cOS Core will then forward the response to the
correct private IPv4 address.
Adding a Drop All Rule
The top-down nature of the IP rule set scanning has already been discussed earlier. If no
matching IP rule is found for a new connection then the default rule is triggered. This rule is
hidden and cannot be changed and its action is to drop all such traffic as well as generate a log
message for the drop.
In order to gain control over the logging of dropped traffic, it is recommended to create a drop
all rule as the last rule in the main IP rule set. This rule has an Action of Drop with the source and
destination network set to all-nets and the source and destination interface set to any.
The service for this rule must also be specified and this should be set to all_services in order to
capture all types of traffic.
If the this rule us the only one defined, displaying the main IP rule set will be as shown below.
Chapter 4: cOS Core Configuration
49